CN103888257A - Network camera identity authentication method based on TPCM - Google Patents
Network camera identity authentication method based on TPCM Download PDFInfo
- Publication number
- CN103888257A CN103888257A CN201310536210.8A CN201310536210A CN103888257A CN 103888257 A CN103888257 A CN 103888257A CN 201310536210 A CN201310536210 A CN 201310536210A CN 103888257 A CN103888257 A CN 103888257A
- Authority
- CN
- China
- Prior art keywords
- trusted gateway
- web camera
- identity
- authentication
- camera
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention provides a network camera identity authentication method based on a TPCM. The method is characterized in that a network camera and a reliable gateway adopt a self-signing mode to generate a digital certificate which comprises a value of a platform configuration register and a measurement result of a memory code segment in operation. An authentication center verifies validity of the digital certificate and confirms identity of the verified party. Advantages are that a measurement value in the starting process of equipment is stored in the platform configuration register so that hardware of the network camera and the reliable gateway is ensured to be unchanged. Reliability of equipment identity is ensured from the aspect of software via measurement of the memory code segment. Besides, a signature secret key is generated by a TPCM chip and bound with the hardware platform state of the equipment so that the digital certificate is difficult to forge.
Description
Technical field
The present invention relates to information security technology, the safe practice of particularly utilizing credible calculating to provide provides a kind of identity identifying method of web camera.
Background technology
At present, along with developing rapidly of information technology and network technology, constantly advance the development of safe city, web camera is more and more extensive in real-life application, no longer only be confined to high release mechanism place, also all obtained generally application in the daily place such as community, road.Conventionally, there is higher demand for security in the place that video monitoring system need to be installed, once supervisory control system is attacked and destroyed by malicious user, the consequence causing cannot be estimated, and therefore the fail safe of supervisory control system itself need to be protected.
But, in current existing network shooting crane monitoring system, still there is following potential safety hazard: the credibility that cannot ensure on the one hand web camera self in existing system, web camera is probably substituted or is illegally transformed by illegal terminal institute is counterfeit, once web camera is destroyed, just cannot ensure video data source place credibility; On the other hand, counterfeit alternative illegal terminal is the video server in very possible meeting directtissima supervisory control system in the time carrying out transfer of data, and the video data on video server that takes this opportunity to distort, destroy, light cause the loss of video data, heavy can destroy the normal operation of video server, cause the paralysis of whole supervisory control system.
Only has the fail safe that has solved web camera self, just the likely fail safe of guarantee information from source.Therefore, network shooting identity to access authenticates, and develops a set of credible authentication mechanism for web camera access, thereby ensures that the source of video monitoring system is credible, ensure the system safety of supervisory control system, thereby ensure that supervisory control system stable operation seems more and more important.
Authentication is used for the legitimacy of authentication of users and terminal identity, obtained by the object of legal authorization for guarantee information and access has vital effect, be to ensure strong means of terminal security, thereby set up effective ID authentication mechanism and become one of key ensureing system safety.
At present, people have done a large amount of research to authentication, have also obtained gratifying achievement.Wherein digital certificate, owing to himself having safe and using feature flexibly simultaneously, is applicable to being used as the authentication of terminal platform very much, and becomes the focus that all trades and professions are paid close attention to.
So-called digital certificate is exactly the file that comprises public-key cryptography owner information and public-key cryptography of a certificate granting center digital signature.The digital signature that the simplest digital certificate has comprised public-key cryptography, title and a certificate granting center.Digital certificate is a series of data for the identity information of identification of parties in network interaction, can be used for verifying the identity of each side, and its function is just equivalent to the identity card that people use in life.Now, more commonly adopt PKI technology, set up cert services system, the PKI of digital certificate and network entity is bound, just can effectively carry out authentication to the each entity in network.
It is counterfeiting that but the non repudiation of digital certificate only can ensure that terminal platform does not have, but cannot ensure the integrality of terminal self, and provide at traditional digital certificate Shi You CA center, user XiangCA center application certificate is to pay certain expense, for the demand of a large amount of digital certificates, this cost is also expensive.The hardware and software platform integrality that how can also ensure web camera under the identity that ensures web camera, reduces web camera authentication cost, becomes a problem demanding prompt solution.
Summary of the invention
In view of the above-mentioned problem of mentioning, in order to solve the Verify Your Identity questions before web camera transmission data, the invention provides a kind of based on credible platform control module TPCM the web camera identity identifying method hereinafter to be referred as TPCM.In the present invention, adopt TPCM respectively the start-up course of web camera and trusted gateway to be measured, the internal storage code section that has loaded kernel program and application program is measured, and metric is left in letter of identity, web camera and trusted gateway are after normal startup or detect when abnormal, capital generates new letter of identity in the mode of certainly signing, thereby any forgery to web camera or trusted gateway, transform or distort, all will make web camera and the trusted gateway can not be by the checking of authentication center, and the private key of Adoption Network video camera and trusted gateway is signed to letter of identity, replace LiaoCA center signing and issuing digital certificate, greatly save cost, also improved efficiency.
The present invention is such realization: a kind of web camera identity identifying method based on TPCM, and this system comprises web camera plateform system, trusted gateway plateform system and authentication center's system, three connects by network.Wherein, authentication center, as third party, authenticates letter of identity.
The concrete technical scheme of this invention is as follows:
A web camera identity identifying method based on TPCM, comprising:
According to the parameter format of digital certificate, the letter of identity that utilizes the metric of platform to generate;
Described letter of identity is used for realizing the authentication of web camera, the authentication of trusted gateway;
Described platform metric comprises the internal storage code section metric of start-up course metric, loading kernel program and the application program of platform device;
Described startup metrics process refers to that one section of fixing trusted code from equipment starts, before giving next section of code control, this section of trusted code can remove to measure the code that next section will be carried out, and tolerance result is expanded to platform configuration register PCR hereinafter to be referred as in PCR, this tolerance chain runs through the whole start-up course of equipment all the time.
The metric of described internal storage code section is measured acquisition by the internal storage code section of the kernel program to weighted platform equipment and application program;
Described platform device has been embedded in TPCM, can adopt the private key of the signature key being generated by plateform system to sign to the letter of identity of platform, generates the letter of identity from signature.
The hardware and software platform state of described signature key and platform device binds together, and only has the hardware and software platform state of equipment to reach while expection, the signature key of the successful weighted platform of ability.
The method comprises the following steps:
(1) initialization operation
Step 1 authentication center server is announced the PKI of authentication center to external world;
The expected degree value of the PCR expected degree value of web camera, internal storage code section, the PKI of signature key are sent to authentication center's server by step 2 internet protocol camera system, and the expected degree value of the PCR expected degree value of trusted gateway, internal storage code section, the PKI of signature key are sent to authentication center's server by trusted gateway plateform system;
Step 3 authentication center server initialization web camera identity database and trusted gateway identity database, by the PKI generating network video camera identity information list of the signature key of the metric of the internal storage code section of the PCR value of the sequence number of web camera, web camera, web camera, web camera, leave in web camera identity database; The PKI of the signature key of the metric of the internal storage code section of the PCR value of the sequence number of trusted gateway, trusted gateway, trusted gateway, trusted gateway is generated to the list of trusted gateway identity information, leave in trusted gateway identity database;
Step 4 web camera, trusted gateway and authentication center consult the letter of identity term of validity;
Step 5 web camera is read PCR value from TPCM, if the value of PCR is identical with the PCR desired value of web camera, and the signature key of load networks video camera;
The kernel program of step 6 web camera to load networks video camera and the internal storage code section of video application are measured, using internal storage code section tolerance result together with PCR value as authentication information, by the private key signature of web camera signature key, the letter of identity of generating network video camera;
Step 7 trusted gateway is read PCR value from the TPCM of trusted gateway, if the value of PCR is identical with the PCR desired value of trusted gateway, loads the signature key of trusted gateway;
Step 8 trusted gateway is measured loading the kernel program of trusted gateway and the internal storage code section of application program, using internal storage code section tolerance result together with PCR value as authentication information, by the private key signature of trusted gateway signature key, generate the letter of identity of trusted gateway;
(2) flow for authenticating ID
The sequence number of step 1 web camera plateform system requester network video camera, the ID authentication request using the sequence number of the letter of identity of web camera and web camera as web camera, sends to trusted gateway;
Step 2 internet protocol camera system receives the image sensor module of web camera and the video data that sound transducer module sends, and is stored in the data buffer storage of web camera;
Step 3 trusted gateway is received after the ID authentication request of web camera transmission, read the ID authentication request of web camera, by the sequence number composition request of certificate authentication message of the letter of identity of the sequence number of the letter of identity of trusted gateway, trusted gateway, web camera, web camera, send to authentication center, wait for certificate verification result;
Step 4 authentication center receives after the certificate verification request message that trusted gateway sends, read certificate request message, according to the sequence number requester network video camera identity database of web camera, obtain the web camera identity information list corresponding with the sequence number of web camera; According to the sequence number inquiry trusted gateway identity database of trusted gateway, obtain the trusted gateway identity information list corresponding with the sequence number of trusted gateway; With the letter of identity of the public key verifications web camera of web camera, judge according to the rise time of certificate whether letter of identity exceeds the term of validity of setting, and whether the information in the letter of identity of web camera of contrasting is consistent with the data in the list of web camera identity information, the identity identification result of generating network video camera; With the letter of identity of the public key verifications trusted gateway of trusted gateway, judge according to the rise time of certificate whether certificate exceeds the term of validity, and whether the information in trusted gateway letter of identity compared is consistent with the data in the list of trusted gateway identity information, generate the identity identification result of trusted gateway; The identity identification result of web camera and trusted gateway is carried out to digital signature with the private key of authentication center, and the identity identification result after signature is sent to trusted gateway;
Step 5 trusted gateway is received the certificate identification result that authentication center sends, with the signature of the public key verifications certificate identification result of authentication center, if signature verification failure, trusted gateway sends request of certificate authentication message to authentication center again, otherwise trusted gateway forwards the certificate identification result by the private key signature of authentication center to web camera, and read the identity identification result of web camera and trusted gateway, if differentiating, the identity of web camera and trusted gateway all passes through, open the data forwarding channel between trusted gateway and IP Camera, wait for receiving video data, if differentiating, the identity of trusted gateway do not pass through, give the alarm, restart trusted gateway,
Step 6 web camera receives the certificate identification result that trusted gateway forwards, by the digital signature of the public key verifications certificate identification result of authentication center, if digital signature authentication failure, web camera sends ID authentication request to trusted gateway again, execution step 1, if digital signature authentication success, read the certificate identification result of web camera and trusted gateway, if differentiating, all passes through by the certificate of web camera and trusted gateway, send the video data in the data buffer storage that is buffered in web camera to trusted gateway by the data forwarding channel being connected between web camera and trusted gateway, if differentiating, the identity of web camera do not pass through, give the alarm, restart web camera.
As seen from the above technical solutions, the invention provides a kind of identity identifying method of the web camera based on TCPM, according to the parameter format of digital certificate, utilize respectively the identity information of web camera and trusted gateway to generate letter of identity, utilize the letter of identity of Third Party Authentication center checking web camera and trusted gateway to realize authentication.
Third Party Authentication center is set up by a station server, before carrying out the authentication of web camera, authentication center has set up web camera identity database and trusted gateway identity database, is used for respectively depositing the identity information list of web camera and the identity information list of trusted gateway.Described identity information list comprises the sequence number of public key information, PCR information and internal storage code section metric and the platform device of platform.The sequence number of equipment is unique, and authentication center comes requester network video camera identity database and trusted gateway identity database according to sequence number, obtains the identity information list corresponding with sequence number, the legitimacy of identity verification certificate.Because PKI and the platform status metric of plateform system are directly to leave in the database of authentication center, need in verification process, not transmit again, reduce reciprocal process, avoid the leakage of PKI information in transmittance process.The present invention has inherited the form of digital certificate, is convenient to described digital certificate and uses in actual applications, has facilitated user on the basis of existing infrastructure, to realize the authentication of web camera.Apply the present invention, not only solved the counterfeit problem of web camera, also guaranteed the integrality of web camera self, realized more reliably the bidirectional identity authentication between web camera and trusted gateway.The present invention is simple to operate, does not need authenticating party and certified side mutual transmission information back and forth to realize, and has reduced reciprocal process; Little to existing technology change, there is good compatibility, be easy to put in actual use.
Brief description of the drawings
Fig. 1 is the system architecture diagram of a preferred embodiment of the present invention;
Fig. 2 is a kind of structural principle schematic diagram of the web camera according to one embodiment of the invention;
Fig. 3 is the structural principle schematic diagram of authentication center of the present invention;
Fig. 4 is the overview flow chart of authentication process of the present invention;
Fig. 5 is the flow chart that the authentication of the internet protocol camera system of one embodiment of the invention has been described;
Fig. 6 is the flow chart that has illustrated that the authentication center of one embodiment of the invention processes ID authentication request.
Embodiment
Below enclose accompanying drawing, with concrete case study on implementation, the present invention is further specifically described by reference to the accompanying drawings.
As shown in Figure 1, for the system architecture diagram of a preferred embodiment of the present invention, this invention is a kind of identity authorization system of web camera, mainly comprise web camera plateform system, trusted gateway plateform system and authentication center's system, between web camera plateform system and trusted gateway plateform system, send authentication message by control channel, carry out video data transmitting by data forwarding channel, only have in the time that the authentication of web camera and trusted gateway is all passed through, the just data channel between meeting opening network Camera Platform system and trusted gateway plateform system.Web camera plateform system sends to Third Party Authentication centring system to carry out authentication the letter of identity of web camera, trusted gateway plateform system sends to authentication center's system to verify the letter of identity of trusted gateway, whether the identity of authentication center's system verification web camera and trusted gateway is legal, thereby judges whether web camera plateform system and trusted networks plateform system can carry out video data transmitting between closing.
As shown in Figure 2, the invention provides the structural principle schematic diagram of web camera plateform system.Web camera plateform system comprises three modules: integrality collection module, credible platform evaluation module, authentication module.The wherein integrity measurement information of integrality collection module collection network video camera, comprises credible startup metric and the internal storage code section metric of web camera.Wherein be embedded in TPCM chip at web camera, be used for measuring the start-up course of web camera.
TPCM is in the integrality of start-up course vacuum metrics MBR, bootstrap loader, operating system nucleus, the operation system driver of web camera and the file used between all starting periods, realize the integrality of credible startup chain by the expansion of PCR value, tolerance result leaves in PCR.
PCR is called platform configuration register, is stored in TPCM inside, deposits various digest value.Adopt SHA SHA-1 to calculate the digest value of the trusted code that will carry out, and modify by extended operation, by the new value replacement current PC R value producing.Wherein in the present invention, PCR0 deposits the metric of credible tolerance root CRTM, PCR1 deposits the metric of the hardware configuration of web camera, PCR2 deposits the metric of bootloader, PCR3 deposits the metric of kernel, PCR4 deposits the metric of Ramdisk, and PCR5-7 deposits some metrics relevant to application program.After the normal startup of web camera, the value of PCR0-7 is sent to the integrity measurement layer of web camera, consigns to integrality gatherer.
In addition, the metric of the internal storage code section of web camera comprises the tolerance of the process comprising in kernel module to comprising in kernel module list, kernel module list, kernel code segment, process list, process list, above program is loaded in internal storage code, adopt SHA-1 algorithm to measure internal memory code segment, metric is sent to the integrality gatherer of web camera.
The PCR value that the Platform evaluation module of web camera is collected according to the integrality gatherer of video camera, compares the integrality of critic network Camera Platform, the signature key of load networks video camera with the PCR value of web camera expection.Because the signature key of web camera is to bind together with the platform status of web camera, if system is tampered in start-up course, PCR value will be different so, and the completeness of platform of web camera is destroyed, signature key that just cannot load networks video camera.
The authentication module of web camera is according to the assessment result of Platform evaluation module, the letter of identity of generating network video camera, and the integrity measurement value that integrality collection module is collected writes in the letter of identity of web camera, be used for the identity of marked network video camera, the private key of the signature key of Adoption Network video camera is signed to the letter of identity of web camera.
The concrete function that web camera is realized is as follows:
(1) before carrying out authentication, the integrality gatherer of internet protocol camera system initialization web camera, the integrity measurement value of generating network video camera, comprises the metric of the internal storage code section of web camera start-up course metric, the kernel program that comprises web camera and related application;
(2) in credible platform evaluation layer, complete credible platform assessment, checking credible platform integrality, and send integrity measurement and report to trusted gateway;
(3) at access to netwoks key-course, according to credible platform evaluation layer assessment result, the signature key of load networks video camera, generating network video camera letter of identity, send web camera ID authentication request, and receive identity authentication result, verification platform identity.
(4), according to identity authentication result, the transmission of video decision-making of generating network video camera, carries out video data transmitting according to decision-making.
Fig. 3 explanation meets the structural representation of authentication center in the embodiment of the present invention, authentication center is based upon on a station server, and on this server, set up web camera identity database and trusted gateway identity database, be used for respectively the identity information list of storage networking video camera and the identity information list of trusted gateway, wherein identity information list comprised corresponding platform device sequence number, public key information, PCR value, internal storage code section metric.Authentication center is according to the sequence number requester network video camera identity database of web camera, according to the sequence number inquiry trusted gateway identity database of trusted gateway, obtain the identity information list that platform device is corresponding, by the legitimacy of the corresponding letter of identity of the public key verifications in identity information list, PCR value in identity information list and internal storage code section metric are used for comparing with PCR value and internal storage code section metric corresponding in letter of identity, the integrality of the hardware and software platform of verification platform equipment.
Carrying out before authentication, the identity information list of web camera has been stored in the web camera identity database of authentication center, the identity information list of trusted gateway has been stored in the trusted gateway identity database of authentication center, in authentication process, do not need to transmit again these data, the identity information that has ensured web camera and trusted gateway is not revealed, and has reduced the reciprocal process of certification simultaneously yet.
Fig. 4 explanation meets the flow chart that carries out authentication between web camera in the present invention, trusted gateway and authentication center, and concrete identifying procedure is as described below:
The PKI of the metric of the PCR value of web camera, internal storage code section, signature key is sent to authentication center's server by step 1 web camera plateform system, and the PKI of the metric of the PCR value of trusted gateway, internal storage code section, signature key is sent to authentication center's server by trusted gateway plateform system;
Step 2 authentication center server initialization web camera identity database and trusted gateway identity database, by the PKI generating network video camera identity information list of the signature key of the metric of the internal storage code section of the PCR value of the sequence number of web camera, web camera, web camera, web camera, leave in web camera identity database; The PKI of the signature key of the metric of the internal storage code section of the PCR value of the sequence number of trusted gateway, trusted gateway, trusted gateway, trusted gateway is generated to the list of trusted gateway identity information, leave in trusted gateway identity database;
Step 3 web camera plateform system obtains integrity measurement value from the integrity measurement module of web camera, credible platform evaluation module is according to integrity measurement value assessment camera completeness of platform, the signature key of load networks video camera, the authentication module of web camera is according to the assessment result of the tolerance result of integrity measurement module and credible platform evaluation module, the letter of identity of generating network video camera;
Step 4 web camera receives the image sensor module of web camera and the video data that sound transducer module sends, and the data of reception is stored in the data buffer storage of web camera;
The authentication module of step 5 web camera is sent ID authentication request to trusted gateway, and wait authentication is replied;
Step 6 trusted gateway receives the ID authentication request that web camera sends, obtain integrity measurement value from the integrity measurement module of trusted gateway, credible platform evaluation module is according to metric assessment trusted gateway completeness of platform, load the signature key of trusted gateway, the authentication module of trusted gateway, according to the assessment result of the tolerance result of integrity measurement module and credible platform evaluation module, generates the letter of identity of trusted gateway;
Step 7 trusted gateway sends authentication to web camera and replys, and informing network video camera sends authentication message, and waits for the authentication message of web camera;
Step 8 web camera receive trusted gateway send authentication reply, the letter of identity of web camera and sequence number are sent to trusted gateway as authentication message, wait for identity authentication result;
Step 9 trusted gateway is received after the authentication message of web camera transmission, letter of identity and the sequence number of inquiry trusted gateway, by the sequence number composition request of certificate authentication message of the letter of identity of the sequence number of the letter of identity of trusted gateway, trusted gateway, web camera, web camera, send to authentication center, wait for certificate verification result;
Step 10 authentication center receives after the request of certificate authentication message that trusted gateway sends, with the sequence number requester network video camera identity database of web camera, obtains the list of web camera identity information; With the sequence number inquiry trusted gateway identity database of trusted gateway, the identity information list of obtaining trusted gateway; According to the letter of identity of the Information Authentication web camera in the list of web camera identity information, according to the letter of identity of the identity information list checking trusted gateway of trusted gateway, identification result Generates Certificate; Adopt the certificate identification result of the private key signature web camera of authentication center and the letter of identity of trusted gateway;
The certificate identification result after signature is sent to trusted gateway by step 11 authentication center;
Step 12 trusted gateway receives the certificate identification result that authentication center sends, by the digital signature of the public key verifications certificate identification result of authentication center, if authentication failed, trusted gateway sends request of certificate authentication message to authentication center again, otherwise trusted gateway forwards the certificate identification result by the private key signature of authentication center to web camera, and read certificate identification result, if differentiating, the identity of web camera and trusted gateway all passes through, open the data forwarding channel between trusted gateway and IP Camera, wait for receiving video data, if differentiating, the identity of trusted gateway do not pass through, give the alarm, restart trusted gateway,
Step 13 web camera receives the certificate identification result that trusted gateway forwards, by the digital signature of the public key verifications certificate identification result of authentication center, if digital signature authentication failure, web camera sends ID authentication request to trusted gateway again, execution step 5, if digital signature authentication success, read certificate identification result, if the authentication of web camera and trusted gateway is all passed through, send the video data in the data buffer storage that is buffered in web camera to trusted gateway by the data forwarding channel being connected between web camera and trusted gateway, if differentiating, the identity of web camera do not pass through, give the alarm, restart web camera.
Fig. 5 explanation meets the flow for authenticating ID of the web camera in the present invention:
(1) TPCM adopts the credible start-up course of the method tolerance web camera of PCR value expansion, PCR value is deposited in to the integrality collection module of web camera.
(2) credible platform evaluation module obtains PCR value from integrality collection module, PCR value and expection PCR value are compared, if consistent, the signature key of load networks video camera, otherwise point out signature key to load unsuccessfully, stop authentication.
(3) integrality is collected kernel program and video application is loaded in internal storage code section, tolerance internal storage code section.
(4) authentication module of web camera is obtained integrality gatherer's metric, adopts the private key of the signature key having loaded to carry out digital signature to the metric of PCR value and internal storage code section, forms the web camera letter of identity from signature.
(5) authentication module of web camera reads the sequence number of web camera.
(6) using the sequence number of web camera and letter of identity as the authentication message of web camera, send to trusted gateway by the authentication module of web camera, carry out authentication.
(7) authentication module receives the certificate identification result that trusted gateway sends, and adopts the digital signature of public key verifications certificate identification result of authentication center, and according to the decision-making that responds of the identity identification result of web camera and trusted gateway; If web camera and trusted gateway are all credible, web camera sends the video data in the data buffer storage that is buffered in web camera to trusted gateway, if web camera is insincere, sends police, restarts web camera.
Fig. 6 represents that authentication center carries out the data flow of authentication, and its concrete steps are as follows:
(1) PKI at authentication center's authentication release center.
(2) authentication center's server initialization web camera identity database and trusted gateway identity database, by the PKI generating network video camera identity information list of the signature key of the metric of the internal storage code section of the PCR value of the sequence number of web camera, web camera, web camera, web camera, leave in web camera identity database; The PKI of the signature key of the metric of the internal storage code section of the PCR value of the sequence number of trusted gateway, trusted gateway, trusted gateway, trusted gateway is generated to the list of trusted gateway identity information, leave in trusted gateway identity database, wait for acceptance certificate discriminating request.
(3) authentication center receives the request of certificate authentication that trusted gateway sends.
(4) authentication center is according to the sequence number requester network video camera identity database of web camera, obtain the list of web camera identity information, if do not find the list of map network video camera identity information, authentication center sends authentication failed message to trusted gateway;
(5) letter of identity of the public key verifications web camera of authentication center's Adoption Network video camera, judge according to the rise time of certificate whether certificate exceeds the term of validity of setting, and contrast PCR value, the internal storage code section metric in the letter of identity of web camera and the web camera identity information list of obtaining in PCR value, internal storage code section metric whether consistent, the certificate identification result of generating network video camera;
(6) authentication center is according to the sequence number inquiry trusted gateway identity database of trusted gateway, obtain the identity information list of trusted gateway, if do not find the list of corresponding trusted gateway identity information, authentication center sends authentication failed message to trusted gateway;
(7) authentication center adopts the letter of identity of the public key verifications trusted gateway of trusted gateway, judge according to the rise time of certificate whether certificate exceeds the term of validity, and whether compare PCR value, internal storage code section metric in PCR value, internal storage code section metric and the list of trusted gateway identity information in trusted gateway letter of identity consistent, generate the certificate identification result of trusted gateway;
(8) authentication center adopts the private key of authentication center to sign to the certificate identification result of web camera and trusted gateway;
(9) the certificate identification result after signature is sent to trusted gateway by authentication center.
Because the present invention adopts above-mentioned structure, there is the bidirectional identification authentication function of web camera and trusted gateway, be stored in letter of identity as authentication information using the metric of credible startup and the metric of internal storage code section, the hardware and software platform state of the signature key of the letter of identity that is used for signing and web camera and trusted gateway is bound, by judging that whether platform status is consistent with expection institute, thereby determine whether to allow to load signature key.And the kernel program to web camera in internet protocol camera system and associated video application program are measured, the kernel program to trusted gateway in trusted gateway and corresponding strategies retransmission process are measured, and have further ensured completeness of platform.Authentication between web camera and trusted gateway authenticates by Third Party Authentication center, and the metric of expection has been stored in the database of authentication center before authentication, has avoided assailant in verification process to steal platform configuration data.Can find out from above implementation procedure, the present invention has realized identity authentication function from the following aspects:
The integrality of platform identity: in authentication process, the data of web camera, trusted gateway, the tripartite of authentication center exchange are the value of PCR0-7, the metric of internal storage code section.They are respectively the tolerance results of the tolerance result of the start-up course to web camera and trusted gateway and kernel code, application program, anyly all can make to start metric or internal storage code tolerance result and desired value generation difference to hardware modification, the software attacks etc. of web camera and trusted gateway, thereby can not be by the certification of authentication center.
The credibility of platform identity: in authentication process, while only having the platform status of web camera and trusted gateway to reach expecting state, could successfully load signature key, and authentication center verifies letter of identity according to the PKI of signature key, has ensured that letter of identity is impossible be forged by other personators.
Claims (1)
1. the web camera identity identifying method based on TPCM, is characterized in that, system comprises web camera plateform system, trusted gateway plateform system and authentication center's system, and three connects by network; Comprise the steps:
1.1 before authentication, and authentication center's server generates the key of authentication center, and announces to external world the PKI of the key of authentication center; The signature key of internet protocol camera system generating network video camera, and announce to external world the PKI of the signature key of web camera; Trusted gateway system generates the signature key of trusted gateway, and announces to external world the PKI of the signature key of trusted gateway;
1.2 authentication center's server initialization web camera identity database and trusted gateway identity databases, the value of the platform configuration register PCR of the sequence number of web camera, web camera is formed to the list of web camera identity information hereinafter to be referred as the PKI of signature key of metric, web camera of the internal storage code section that loads kernel program and application program in PCR, web camera, leave in web camera identity database; The PKI of signature key of the metric, the trusted gateway that have loaded the kernel program of trusted gateway and the internal storage code section of application program in the value of the PCR of the sequence number of trusted gateway, trusted gateway, trusted gateway is formed to the list of trusted gateway identity information, leave in trusted gateway identity database; Wait for and receive ID authentication request;
The start-up course of 1.3 internet protocol camera system tolerance web cameras, the internal storage code section that tolerance has loaded the kernel program of web camera and the video application of web camera, the signature key of load networks video camera, the letter of identity of generating network video camera, the letter of identity of web camera comprises the metric of the internal storage code section of the credible startup metric of web camera, the kernel program that has loaded web camera and video application, the letter of identity of the private key signature web camera of the signature key of Adoption Network video camera;
The start-up course of 1.4 trusted gateway system metrics trusted gateways, the internal storage code section that tolerance has loaded the kernel program of trusted gateway and the application program of trusted gateway, load the signature key of trusted gateway, generate the letter of identity of trusted gateway, the letter of identity of trusted gateway comprises the internal storage code section metric of the credible startup metric of trusted gateway, the kernel program that has loaded trusted gateway and trusted gateway, adopts the letter of identity of the private key signature trusted gateway of the signature key of trusted gateway;
1.5 internet protocol camera systems are by the letter of identity of web camera and sequence number composition ID authentication request message, send to trusted gateway, receive the image sensor module of web camera and the video data that sound transducer module sends simultaneously, and leave in the data buffer storage of web camera, wait for identity authentication result;
1.6 trusted gateways are received after the ID authentication request of web camera transmission, by the sequence number composition request of certificate authentication message of the letter of identity of the sequence number of the letter of identity of trusted gateway, trusted gateway, web camera, web camera, send to authentication center's server, wait for certificate identification result;
1.7 authentication centers receive after the request of certificate authentication message that trusted gateway sends, with the sequence number requester network video camera identity database of web camera, obtain the web camera identity information list corresponding with web camera sequence number; With the sequence number inquiry trusted gateway identity database of trusted gateway, the identity information list of obtaining the trusted gateway corresponding with the sequence number of trusted gateway; According to the legitimacy of the Information Authentication web camera letter of identity in the list of web camera identity information, according to the legitimacy of the Information Authentication trusted gateway letter of identity in the list of trusted gateway identity information, the certificate identification result of generating network video camera and trusted gateway; The certificate identification result of web camera and trusted gateway is carried out to digital signature with the private key of authentication center, the certificate identification result after signature is sent to trusted gateway;
1.8 trusted gateways receive the certificate identification result that authentication center's server sends, and use the digital signature of the public key verifications certificate identification result of authentication center, if authentication failed, trusted gateway sends request of certificate authentication message to authentication center again; If be proved to be successful, trusted gateway forwards the certificate identification result by the private key signature of authentication center's server to web camera, and read the certificate identification result of reception, if differentiating, the identity of web camera and trusted gateway all passes through, open the data forwarding channel between trusted gateway and web camera, wait for receiving video data; Do not pass through if the identity of trusted gateway is differentiated, give the alarm, restart trusted gateway;
1.9 internet protocol camera systems receive the certificate identification result that trusted gateway is sent, by the digital signature of the public key verifications certificate identification result of authentication center's server, and read the certificate identification result of reception, if differentiating, the identity of web camera and trusted gateway all passes through, internet protocol camera system sends the video data in the data buffer storage that is buffered in web camera by the data forwarding channel being connected with trusted gateway to trusted gateway, if differentiating, the identity of web camera do not pass through, give the alarm, restart web camera.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310536210.8A CN103888257B (en) | 2013-11-03 | 2013-11-03 | Network camera identity authentication method based on TPCM |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310536210.8A CN103888257B (en) | 2013-11-03 | 2013-11-03 | Network camera identity authentication method based on TPCM |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103888257A true CN103888257A (en) | 2014-06-25 |
| CN103888257B CN103888257B (en) | 2017-01-18 |
Family
ID=50956985
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310536210.8A Active CN103888257B (en) | 2013-11-03 | 2013-11-03 | Network camera identity authentication method based on TPCM |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103888257B (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104486079A (en) * | 2014-12-02 | 2015-04-01 | 东南大学 | Wireless image sensor data integrality protecting method based on public key |
| CN107241339A (en) * | 2017-06-29 | 2017-10-10 | 北京小米移动软件有限公司 | Auth method, device and storage medium |
| CN108111497A (en) * | 2017-12-14 | 2018-06-01 | 深圳市共进电子股份有限公司 | Video camera and server inter-authentication method and device |
| CN108965824A (en) * | 2018-08-13 | 2018-12-07 | 晋商博创(北京)科技有限公司 | Video monitoring method, system, camera, server and client based on CPK |
| CN109714218A (en) * | 2019-03-05 | 2019-05-03 | 佛山点度物联科技有限公司 | A kind of Internet of Things server configuration information synchronous method |
| CN110061987A (en) * | 2019-04-19 | 2019-07-26 | 武汉大学 | A kind of access control method and device of based role and trusted end-user |
| CN110300289A (en) * | 2019-07-31 | 2019-10-01 | 北京中安国通科技有限公司 | Video security management system and method |
| CN110351316A (en) * | 2018-04-04 | 2019-10-18 | 北京华大信安科技有限公司 | A kind of remote software upgrade method and device |
| CN110879879A (en) * | 2018-09-05 | 2020-03-13 | 航天信息股份有限公司 | Internet of things identity authentication method and device, electronic equipment, system and storage medium |
| CN112446037A (en) * | 2020-10-20 | 2021-03-05 | 湖南红普创新科技发展有限公司 | Data interaction method and device based on database gateway terminal and related equipment |
| CN112532576A (en) * | 2020-10-20 | 2021-03-19 | 湖南红普创新科技发展有限公司 | Gateway data interaction method and device, computer equipment and storage medium |
| CN112887674A (en) * | 2021-01-22 | 2021-06-01 | 深圳可信计算技术有限公司 | Video monitoring system |
| CN113364807A (en) * | 2021-06-30 | 2021-09-07 | 四川更元科技有限公司 | Network node credibility authentication implementation method |
| CN113557703A (en) * | 2019-03-19 | 2021-10-26 | 华为技术有限公司 | Authentication method and device for network camera |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101951321A (en) * | 2008-10-23 | 2011-01-19 | 普天信息技术研究院有限公司 | Device, system and method for realizing identity authentication |
| US8015408B2 (en) * | 2006-09-14 | 2011-09-06 | Interdigital Technology Corporation | Trust evaluation for a mobile software agent on a trusted computing platform |
-
2013
- 2013-11-03 CN CN201310536210.8A patent/CN103888257B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8015408B2 (en) * | 2006-09-14 | 2011-09-06 | Interdigital Technology Corporation | Trust evaluation for a mobile software agent on a trusted computing platform |
| CN101951321A (en) * | 2008-10-23 | 2011-01-19 | 普天信息技术研究院有限公司 | Device, system and method for realizing identity authentication |
Non-Patent Citations (1)
| Title |
|---|
| 高丽: ""可信连接网络认证与评估协议研究"", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Cited By (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104486079B (en) * | 2014-12-02 | 2017-12-22 | 东南大学 | A kind of wireless image sensing data completeness protection method based on public key |
| CN104486079A (en) * | 2014-12-02 | 2015-04-01 | 东南大学 | Wireless image sensor data integrality protecting method based on public key |
| CN107241339A (en) * | 2017-06-29 | 2017-10-10 | 北京小米移动软件有限公司 | Auth method, device and storage medium |
| CN107241339B (en) * | 2017-06-29 | 2020-03-03 | 北京小米移动软件有限公司 | Identity authentication method, identity authentication device and storage medium |
| CN108111497A (en) * | 2017-12-14 | 2018-06-01 | 深圳市共进电子股份有限公司 | Video camera and server inter-authentication method and device |
| CN110351316A (en) * | 2018-04-04 | 2019-10-18 | 北京华大信安科技有限公司 | A kind of remote software upgrade method and device |
| CN108965824A (en) * | 2018-08-13 | 2018-12-07 | 晋商博创(北京)科技有限公司 | Video monitoring method, system, camera, server and client based on CPK |
| CN108965824B (en) * | 2018-08-13 | 2020-06-19 | 晋商博创(北京)科技有限公司 | Video monitoring method and system based on CPK, camera, server and client |
| CN110879879A (en) * | 2018-09-05 | 2020-03-13 | 航天信息股份有限公司 | Internet of things identity authentication method and device, electronic equipment, system and storage medium |
| CN110879879B (en) * | 2018-09-05 | 2023-08-22 | 航天信息股份有限公司 | Internet of things identity authentication method, device, electronic equipment, system and storage medium |
| CN109714218A (en) * | 2019-03-05 | 2019-05-03 | 佛山点度物联科技有限公司 | A kind of Internet of Things server configuration information synchronous method |
| CN109714218B (en) * | 2019-03-05 | 2021-11-23 | 佛山点度物联科技有限公司 | Internet of things server configuration information synchronization method |
| CN113557703A (en) * | 2019-03-19 | 2021-10-26 | 华为技术有限公司 | Authentication method and device for network camera |
| CN110061987A (en) * | 2019-04-19 | 2019-07-26 | 武汉大学 | A kind of access control method and device of based role and trusted end-user |
| CN110300289A (en) * | 2019-07-31 | 2019-10-01 | 北京中安国通科技有限公司 | Video security management system and method |
| CN110300289B (en) * | 2019-07-31 | 2020-08-21 | 北京中安国通科技有限公司 | Video safety management system and method |
| CN112446037A (en) * | 2020-10-20 | 2021-03-05 | 湖南红普创新科技发展有限公司 | Data interaction method and device based on database gateway terminal and related equipment |
| CN112532576A (en) * | 2020-10-20 | 2021-03-19 | 湖南红普创新科技发展有限公司 | Gateway data interaction method and device, computer equipment and storage medium |
| CN112446037B (en) * | 2020-10-20 | 2021-10-08 | 湖南红普创新科技发展有限公司 | Data interaction method and device based on database gateway terminal and related equipment |
| CN112887674A (en) * | 2021-01-22 | 2021-06-01 | 深圳可信计算技术有限公司 | Video monitoring system |
| CN112887674B (en) * | 2021-01-22 | 2023-09-22 | 深圳可信计算技术有限公司 | Video monitoring system |
| CN113364807A (en) * | 2021-06-30 | 2021-09-07 | 四川更元科技有限公司 | Network node credibility authentication implementation method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103888257B (en) | 2017-01-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103888257A (en) | Network camera identity authentication method based on TPCM | |
| CN112153608B (en) | Vehicle networking cross-domain authentication method based on side chain technology trust model | |
| CN112311735B (en) | Credible authentication method, network equipment, system and storage medium | |
| CN109981682B (en) | Data verification method, device and system for Internet of things equipment | |
| WO2010082253A1 (en) | Server authentication method and client terminal | |
| JP2006139747A (en) | Communication system, and security assurance device | |
| Gong et al. | A remote attestation mechanism for the sensing layer nodes of the Internet of Things | |
| CN110248130B (en) | Video data credibility guaranteeing system, verification method and storage medium | |
| CN107683599A (en) | Authorization device and method for the mandate issue of the authentication token of equipment | |
| CN111461622B (en) | Block chain-based warehouse credit rating, result acquisition and verification method and device | |
| CN108701308B (en) | System for issuing public certificate based on blockchain, and method for issuing public certificate based on blockchain using same | |
| CN112543184B (en) | Block chain-based equipment authentication activation method | |
| CN113259135B (en) | Lightweight blockchain communication authentication device and method for detecting data tamper | |
| CN113708935B (en) | Internet of things equipment unified authentication method and system based on block chain and PUF | |
| EP3707853B1 (en) | Conducting secure interactions utilizing reliability information | |
| US11329820B2 (en) | System and method for secure authentication and authorization | |
| CN105515778A (en) | Cloud storage data integrity service signature method | |
| CN116112187A (en) | Remote proving method, device, equipment and readable storage medium | |
| US7366911B2 (en) | Methods and apparatus for computationally-efficient generation of secure digital signatures | |
| Chernyi et al. | Security of electronic digital signature in maritime industry | |
| CN109981288B (en) | Fine-grained cloud server side rapid external certification method based on aggregated signature | |
| US11399020B2 (en) | System and method for authenticating server identity during connection establishment with client machine | |
| Das et al. | Design of a Trust-Based Authentication Scheme for Blockchain-Enabled IoV System | |
| CN104518880A (en) | Big data reliability validation method and system based on random sampling detection | |
| CN113992705A (en) | Vehicle networking system construction method, device, equipment and medium based on block chain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |